ColdFusion Muse

The "Certificate Authority" Racket

You might think that a "secure certificate" is all about encryption. Actually there are two reasons to buy a secure certificate and only one of them is encryption. The other one is about "legitimacy". That second reason is a bit of a sham. It's also about how a very few companies get to profit from a ubiquitous a essentially free technology.

The "Authority" question

When your browser opens an SSL page for the first time it attempts to create an encrypted session by downloading and synching up the public and private keys. So far so good. In the process of synching however it looks at the features of the certificate - the domain, expiration, and the issuer or "certificate authority" (CA). The CA is the organization that issued the certificate. It is (in theory) a third party that has verified that your site is legitimate and that you have a right to use the certificate. The truth is that anyone with a certificate server can be an issuer. In fact there are a number of totally free certificate services out there. Microsoft has included certificate serving on it's server line since the days of NT 4.0. So why are we paying certificates?

The answer is in how the browser is configured by default. Try this experiment. Go to this URL in your Firefox browser. You will probably see a message that says "Unable to verify Katapultmedia.com as a trusted site". Now click on the button that says "Examine Certificate". Take a look and see if you can figure out the problem (don't look at the message at the top). The domain matches and it's not expired. Hmmm.... Now check out the message at the top. It says the "issuer is unknown". However, the issuer is definitely listed. It says "cacert.org".

If you accept the certificate your session will be encrypted with no problem. In fact, you can use an expired certificate and your session will still be encrypted. This message is not about encryption. It's not saying your "data may not be safe". It's saying that the site itself may not be safe because it has not been verified by a recognized certificate authority. And who are these authorities? I'm glad you asked. To see the list for the Firefox browser go to Tools-Options and click on the "advanced" tab. Scroll down and expand the "certificates" section and click on the button titled "manage certificates". Then select the "Authorities" tab at the top. You will see a long list of authorities. If one of these companies had issued the cert in question you would have not seen this message. To see Internet Explorer's list go to "tools-Internet Options" and click on the "content" tab. Then select the "certificates" button and click on the "trusted root certification authorities".

The idea is that some "other" disinterested party that (presumably) the browser makers have checked out verifying the legitimacy of your site. Of course, this is pretty much a sham. It's easy to get a certificate from a trusted authority - no matter who you say you are. It only takes money. It's a nice racket if you are Verisgn to be sure. If I'm an ecommerce store I'm forced to shell out in order to suppress the panicky message sent to the user by the browser - even though my user would be just as "safe" if I issued my own certificate or used a freebie. In fact, in cases where the site is not going to be public but still needs encryption, there's really no reason to go through the process of buying a certificate. Create your own or use a free one (like from cacert.org). Simply accept the cert the first time and forget about it.

For ecommerce sites however, that message is going to mean lost sales - and that can't be tolerated. Of course you could import new authorities into the browser - you could "force" the browser to recognize an issuer as an authority (which would effectively suppress the message). But this means forcing users to navigate a tricky technical landscape where they are not likely to venture. So you are stuck with buying a cert from a trusted authority. You might notice that both IE and Firefox support a pretty large group of authorities. The bad news is that some of these are the same company functioning under several authority names. It's also true that older browsers supported fewer trusted authorities - so your options get narrower and narrower depending on your requirements. If you have a large ecommerce site I suggest bighting the bullet and buying a Verisign cert.

Additional Note

One thing I forgot to mention was the guarantees provided by the authority. Sites that function as certificate authorities also offer a form of "insurance" against the certificate being "cracked". Of course, a hacker would have to "crack" your cert and be able to sniff your traffic. While this is theoretically a possibility, I know of no lawsuits or incidents based on faulty or compromised certificates. Perhaps someone can enlighten me. It's sort of like hiring someone to protect you from Tigers in South Dakota. "....but there aren't any tigers in South Dakota"... "see what a good job we are doing!".

Related Blog Entries

Comments
Steve Nelson's Gravatar Very interesting post! Have you looked into what it takes to become a CA in the list provided by browser makers? I mean what does it take to become a 'trusted' CA like Verisign?
# Posted By Steve Nelson | 12/1/05 11:34 AM
mkruger's Gravatar I don't know. The equipment and technology is typically something you have already (Linux+open source or Windows 2000 server). I'm betting there's an audit procedure and maybe a little payola :)
# Posted By mkruger | 12/1/05 11:42 AM
CD's Gravatar I do a lot of surfing and get extremely annoyed by all the popup windows saying the certificate is expired or whatever, this EVEN THOUGH I have Firefox set to "don't ask". How can I get rid of the popup because I DON'T CARE! One such popup said the certificate had "expired" 5 minutes ago -- literally! How can I get it to go away permanently, without accepting every site permanently as valid because maybe that's not a good idea!
# Posted By CD | 6/26/06 8:52 AM
mkruger's Gravatar Carol,

While I share your frustration - I don't think it's going to be feasible to fix this without eliminating some security on your browser. It's an unfortunate by-product of the coupling of encryption with verification :)

-Mark
# Posted By mkruger | 6/26/06 3:14 PM
anoncoward's Gravatar Thanks for a thought-provoking article... if only you would provide more examples of how "it only takes money" to get a Verisign certificate!

Also, I think you should stress the point of 'simply accept the cert the first time and forget about it' - but only after first examining the certificate and making sure that the only problem is with issuer CA. Otherwise, users could get into a habit of ignoring browser warnings and make themselves susceptible to future man-in-middle attacks.
# Posted By anoncoward | 8/5/06 12:21 PM
Computing PhD's Gravatar The reason browsers only trust certain CAs by default (and why we must pay to use these) is for two reasons:

1. A trusted CA will validate that you own the domain name on the certificate i.e. Verisign won't sign my certificate if it says im microsoft.com

2. A trusted CA will have the electronic and physical security needed to stop the private keys of their certificates being stolen, so if its signed by them you can trust that its not an imposter.
# Posted By Computing PhD | 11/1/08 4:33 PM
Wayne's Gravatar Having a certificate signed by a reputable authority *is* partially about securing your data. If you receive a warning about not recognizing the issuer, you could be experiencing a man in the middle attack.
# Posted By Wayne | 2/3/09 7:47 PM
Mark Kruger's Gravatar @Wayne,

while this is true - it does not address the virtual monopoly of several CAs in this industry. It is also true that while you "may" be experiencing such an attack, the point of this post is that a self signed cert or from a non conventional CA is no less encrypted than one from verisign or thawte.

I would add that in recent years (since this post was written) authorities like godaddy have brought the cost down to a more nominal fee - making some of the arguments here a moot point.

Meanwhile, how many instances of "man in the middle" do you suppose there are in the wild? It's hard to execute and pretty rare in my experience. I've never run accross a live version in fact (and I get around :).

-mk
# Posted By Mark Kruger | 2/3/09 8:05 PM
Mark Kruger's Gravatar @wayne - mia culpa,

Ok... I can see how a MITM attack could be pretty easily accomplished if there is no end point verification (i.e. "authority") so I'm going to concede that point.

-Mark
# Posted By Mark Kruger | 2/3/09 8:14 PM
Wayne's Gravatar Yeah, with the ubiquity of wireless access points these days and the general lack of concern people show for connecting through whatever AP is unsecured, it's pretty easy to set up a man in the middle attack.

I'd be lots of people do online banking while sitting in a Starbucks or airport lounge...
# Posted By Wayne | 2/3/09 8:25 PM
WoodBeTech's Gravatar thawte and verisign are owned by the so-called "antivirus" / "security" software racket entity known as Symantec/Norton. Do a thorough WHOIS on thawte and verisign.
# Posted By WoodBeTech | 12/10/14 10:38 AM
Mark Kruger's Gravatar @WoodbeTech,

I have deleted a couple comments pointed at articles (certification and certificate CA information). This is an article about the technical aspects of SSL and TLS - trying to keep the comment / content on point. I DO have an article on CAs in another area. Thanks.

-Mark
# Posted By Mark Kruger | 12/10/14 10:58 AM
Mark Kruger's Gravatar Well now I just feel stupid :) I thought I was editing comments on my most recent article! I'm sorry - feel free to repost your links @woodBeTech - they were most certainly on point.
# Posted By Mark Kruger | 12/10/14 10:59 AM



Blog provided and hosted by CF Webtools. Blog Sofware by Ray Camden.